I've setup a kdc server and I'm able to kinit from my client and get a ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects randomly when mounted with sec=krb5p. When I mount insecurely this does not happen. I read that this has to do with gss but have not found a solution.
thanks.
On 08/01/2017 03:24 PM, Louis Garcia wrote:
I've setup a kdc server and I'm able to kinit from my client and get a ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects randomly when mounted with sec=krb5p. When I mount insecurely this does not happen. I read that this has to do with gss but have not found a solution.
Have you checked journald's output for gss-related messages? ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - We have enough youth, how about a fountain of SMART? - ----------------------------------------------------------------------
I found this on the client.
gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
This is right after, not sure if related.
audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error er
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens ricks@alldigital.com wrote:
On 08/01/2017 03:24 PM, Louis Garcia wrote:
I've setup a kdc server and I'm able to kinit from my client and get a ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects randomly when mounted with sec=krb5p. When I mount insecurely this does not happen. I read that this has to do with gss but have not found a solution.
Have you checked journald's output for gss-related messages?
- Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
-We have enough youth, how about a fountain of SMART? -
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
Does this have anything todo with gssproxy on the client? I did not know I had to configure that.
On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia louisgtwo@gmail.com wrote:
I found this on the client.
gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
This is right after, not sure if related.
audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error er
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens ricks@alldigital.com wrote:
On 08/01/2017 03:24 PM, Louis Garcia wrote:
I've setup a kdc server and I'm able to kinit from my client and get a ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects randomly when mounted with sec=krb5p. When I mount insecurely this does not happen. I read that this has to do with gss but have not found a solution.
Have you checked journald's output for gss-related messages?
- Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
-We have enough youth, how about a fountain of SMART? -
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
should I have SECURE_NFS=yes in /etc/sysconfig/nfs ?
On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia louisgtwo@gmail.com wrote:
Does this have anything todo with gssproxy on the client? I did not know I had to configure that.
On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia louisgtwo@gmail.com wrote:
I found this on the client.
gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
This is right after, not sure if related.
audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error er
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens ricks@alldigital.com wrote:
On 08/01/2017 03:24 PM, Louis Garcia wrote:
I've setup a kdc server and I'm able to kinit from my client and get a ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects randomly when mounted with sec=krb5p. When I mount insecurely this does not happen. I read that this has to do with gss but have not found a solution.
Have you checked journald's output for gss-related messages?
- Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
-We have enough youth, how about a fountain of SMART? -
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
On 08/01/2017 06:06 PM, Louis Garcia wrote:
should I have SECURE_NFS=yes in /etc/sysconfig/nfs ?
We kind of dislike top-posting on the list. No biggie, but try to refrain from top-posting if you can.
As to your problem, the first thing is to add "debug true" to /etc/gssproxy/99-nfs-client.conf first, then have a look at the journal again. You can also dial up the verbosity by setting "debug_level 3" in the same file.
I don't think that the AVC denial is the cause of the problem. It looks like the denial is caused by gssproxy trying to let you know it failed.
On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <louisgtwo@gmail.com mailto:louisgtwo@gmail.com> wrote:
Does this have anything todo with gssproxy on the client? I did not know I had to configure that. On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <louisgtwo@gmail.com <mailto:louisgtwo@gmail.com>> wrote: I found this on the client. gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found This is right after, not sure if related. audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error er exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens <ricks@alldigital.com <mailto:ricks@alldigital.com>> wrote: On 08/01/2017 03:24 PM, Louis Garcia wrote: > I've setup a kdc server and I'm able to kinit from my client and get a > ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects > randomly when mounted with sec=krb5p. When I mount insecurely this does > not happen. I read that this has to do with gss but have not found a > solution. Have you checked journald's output for gss-related messages? ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com <mailto:ricks@alldigital.com> - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - We have enough youth, how about a fountain of SMART? - ---------------------------------------------------------------------- _______________________________________________ users mailing list -- users@lists.fedoraproject.org <mailto:users@lists.fedoraproject.org> To unsubscribe send an email to users-leave@lists.fedoraproject.org <mailto:users-leave@lists.fedoraproject.org>
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
On Tue, Aug 1, 2017 at 9:36 PM, Rick Stevens ricks@alldigital.com wrote:
On 08/01/2017 06:06 PM, Louis Garcia wrote:
should I have SECURE_NFS=yes in /etc/sysconfig/nfs ?
We kind of dislike top-posting on the list. No biggie, but try to refrain from top-posting if you can.
As to your problem, the first thing is to add "debug true" to /etc/gssproxy/99-nfs-client.conf first, then have a look at the journal again. You can also dial up the verbosity by setting "debug_level 3" in the same file.
I don't think that the AVC denial is the cause of the problem. It looks like the denial is caused by gssproxy trying to let you know it failed.
On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <louisgtwo@gmail.com mailto:louisgtwo@gmail.com> wrote:
Does this have anything todo with gssproxy on the client? I did not know I had to configure that. On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <louisgtwo@gmail.com <mailto:louisgtwo@gmail.com>> wrote: I found this on the client. gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found This is right after, not sure if related. audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error er exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens <ricks@alldigital.com <mailto:ricks@alldigital.com>> wrote: On 08/01/2017 03:24 PM, Louis Garcia wrote: > I've setup a kdc server and I'm able to kinit from myclient and get a
> ticket for ssh, nfs. I'm noticing nfs slow to mount, anddisconnects
> randomly when mounted with sec=krb5p. When I mountinsecurely this does
> not happen. I read that this has to do with gss but havenot found a
> solution. Have you checked journald's output for gss-related messages? ------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com <mailto:ricks@alldigital.com> - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - We have enough youth, how about a fountain of SMART? - ------------------------------------------------------------
_______________________________________________ users mailing list -- users@lists.fedoraproject.org <mailto:users@lists.fedoraproject.org> To unsubscribe send an email to users-leave@lists.fedoraproject.org <mailto:users-leave@lists.fedoraproject.org>
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
--
- Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
-Brain: The organ with which we think that we think. -
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
Gmail always puts replies on top. I forgot about that.
I see nothing in the journal. With debug_level 3 should I see something?
99-nfs-client.conf: [service/nfs-client] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0 debug true debug_level 3
On 08/02/2017 08:14 AM, Louis Garcia wrote:
On Tue, Aug 1, 2017 at 9:36 PM, Rick Stevens <ricks@alldigital.com mailto:ricks@alldigital.com> wrote:
On 08/01/2017 06:06 PM, Louis Garcia wrote: > should I have SECURE_NFS=yes in /etc/sysconfig/nfs ? We kind of dislike top-posting on the list. No biggie, but try to refrain from top-posting if you can. As to your problem, the first thing is to add "debug true" to /etc/gssproxy/99-nfs-client.conf first, then have a look at the journal again. You can also dial up the verbosity by setting "debug_level 3" in the same file. I don't think that the AVC denial is the cause of the problem. It looks like the denial is caused by gssproxy trying to let you know it failed. > > On Tue, Aug 1, 2017 at 7:35 PM, Louis Garcia <louisgtwo@gmail.com <mailto:louisgtwo@gmail.com> > <mailto:louisgtwo@gmail.com <mailto:louisgtwo@gmail.com>>> wrote: > > Does this have anything todo with gssproxy on the client? I did not > know I had to configure that. > > On Tue, Aug 1, 2017 at 7:20 PM, Louis Garcia <louisgtwo@gmail.com <mailto:louisgtwo@gmail.com> > <mailto:louisgtwo@gmail.com <mailto:louisgtwo@gmail.com>>> wrote: > > I found this on the client. > > gssproxy[661]: gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) > Unspecified GSS failure. Minor code may provide more > information, No credentials cache found > gssproxy[672]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS > failure. Minor code may provide more information, No > credentials cache found > > This is right after, not sure if related. > > audit[651]: USER_AVC pid=651 uid=81 auid=4294967295 > ses=4294967295 > subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: > denied { send_msg } for msgtype=error er > > exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > > > > > > > > On Tue, Aug 1, 2017 at 7:00 PM, Rick Stevens > <ricks@alldigital.com <mailto:ricks@alldigital.com> <mailto:ricks@alldigital.com <mailto:ricks@alldigital.com>>> wrote: > > On 08/01/2017 03:24 PM, Louis Garcia wrote: > > I've setup a kdc server and I'm able to kinit from my client and get a > > ticket for ssh, nfs. I'm noticing nfs slow to mount, and disconnects > > randomly when mounted with sec=krb5p. When I mount insecurely this does > > not happen. I read that this has to do with gss but have not found a > > solution. > > Have you checked journald's output for gss-related messages? > >Gmail always puts replies on top. I forgot about that.
I see nothing in the journal. With debug_level 3 should I see something?
99-nfs-client.conf: [service/nfs-client] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0 debug true debug_level 3
Uhm, did you restart gssproxy after buggering the config file ("systemctl restart gssproxy.service")? I think it only looks at the config file when it starts up.
I don't use gssproxy, so this is all just a suggestion to try to see what it's doing. All the edits do is enable debug mode and dial up its verbosity, and it should be logging to the journal. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - Blessed are the peacekeepers...for they shall be shot at - - from both sides. --A.M. Greeley - ----------------------------------------------------------------------
-
Louis Garcia -
Rick Stevens